Announcements & Shameless Plugs
PaulDotCom Security Weekly - Episode 266 for Thursday November 3d, 2011.
- Check out Hack Naked TV
- Larry is teaching SEC580 Metasploit Kung Fu for Enterprise Pen Testing in San Antonio, TX December 4-5. Tell them that NYC is where Salsa is being made now.
- Don't forget to Read our blog, Participate on our mailing list, Visit PaulDotCom Insider, Follow us on Twitter, Join the IRC channel at irc.freenode.net #pauldotcom, Watch our Videos and Add us on Facebook where we can be "friends"
- BSides, BSides, BSides everywhere
Guest Interview: Jeff Moss
6:00 PM EDT
Black Hat Founder and Director Jeff Moss has spent almost 2 decades as founder and director of Black Hat and DefCon, two of the most important security conferences in the world. In 2009 Moss was appointed to the Homeland Security Advisory Council to provide advice and recommendations to the Secretary on matters related to homeland security. Jeff has also worked for Ernst & Young, LLP in their Information System Security division and is currently CSO of ICANN.
PaulDotCom rapid fire questions round (TM):
- Which 3 letter acronym scares you the most?
- When playing a game of ass-grabby-grabby do you prefer to go first or second?
- Android, iOS or Blackberry?
- 3 Words to describe yourself.
- In a life or death situation if you had to give mouth-to-mouth recessitation to someone would you rather it be 1) Linday Lohan 2) Kevin Mitnick 3) A Defcon attendee chosen at random
- How did you get your start in information security?
- Tell me about the early days of Defcon, how did you get the idea to start a hacker conference?
- Were the initial Defcon conferences "crazy" because of the age of the participants, hackers outlook on life in general, just some irresponsible people, all of the above? What are some of the more funnythings that have happened at previous Defcon conferences.
- At some point you went on to create Blackhat, how did that come about?
- Many people have commented that when you sold Blackhat to CMP Media you were "selling out", What is your response to such comments?
- How has the attendee composition of your conferences changed over the past few years?
- Do you worry that "hacking" (white-hat, not pejorative) today is becoming less of an intelectual challenge and more "here, click this link"? Is this a good thing or a bad thing?
- Recently several organizations have suffered major security breaches, including HBGary, RSA, and Sony, what should organizations be learning from these breaches?
- Looking forward, what security trends, offensive or defensive, scare you the most?
- On the flip side, what trends, if any, in information security give you the most hope?
- How have companies outlooks on security changed over the years? Are making progress by speaking about security issues or is it falling on def ears?
- On a federal level, do you believe the Government should regulate and/or enforce secure coding practices?
- Tell us about your work with the Security Advisory Council.
- What are your responsibilities as ICANN Chief Security Officer?
Guest Tech Segment: Jon McCoy
Jon McCoy is a .NET Software Engineer who focuses on security and forensics. He has worked on a number of Open Source projects ranging from hacking tools to software for the paralyzed. With a deep knowledge of programming under the .NET Framework he has released new attacks on live applications and the .NET Framework itself.
Stories For Discussion
- Pump Up the Insulin - [Larry] - Barnaby Jack is my hero, again. He's taken this liking to embedded devices, and this time into insulin pumps. He built a 900Mhz sniffer and omnidirectional antenna to discover the devices,, and when queried cough up their serial number - this serial number is needed to perform additional interactions with the device. From there, he developed tools to be able to increase the insulin dosage, including the ability to unload all 300 units at once. (yeah,m that is MORE than enough to kill you). Normally the device would vibrate or emit an alarm when the dosage is changed wirelessly, but Jack found a way to disable that too, over wireless. The vendor says they are looking at a fix, including encryption. Nothing like not thinking about security 10 years ago…
- Common Mobile App vulns - [Larry] - While this may not be earth shattering news to some of our listeners, it still fascinates the heck out of me that, web app vulnerabilities form like 10 years ago, are STILL available in mobile apps, and fail on ALL of the same things that we've been preaching about for years. Why does this happen? Do the developers think that their traffic is secure over the cell networks? what about that WiFi stuff? Do the devs forget or is it just laziness?
- Taking down a A Cartel - [Larry] Subtitled as "Wow, who thought this was a smart idea?" Allegedly Anonymous wants to bring down a drug cartel that they have information on supporters and members. While it may be fun to think that they can change the world by doing so, they quickly "backed down" (at least by some reports), after hearing that the cartel was employing their own computer folks to track down the anonymous members. Umm, hello, organized crime has the correct kind of resources to do the tracking. I wonder if the story was done by the government to expose anonymous?
- 1:60 FaceBook posts are malicious and 1:100 tweets are malicious - Inconceivable that malicious activity happens on these social sites… 14 percent of linked-in users felt un-secure using the site. wonder what the next target will be.
- China Did it - Apparently we can blame China for everything… China the NEW APT… how long before vendors actually says that they keep china out of your network?
- Chemical Industry under attack and ITS CHINA AGIAN!! - See….
- US observation satellites hacked by China - will the insanity ever stop?
- even Mr. Kapersky himself is in the China CYBER terrorism camp - Who is going to stop the great Chineese menace?
- VIM turns 20! - 20 years ago VIM was released I know a lot of us use it.